New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Exin CITM Exam - Topic 3 Question 11 Discussion

Actual exam question for Exin's CITM exam
Question #: 11
Topic #: 3
[All CITM Questions]

What is the correct sequence of activities for a risk assessment?

Show Suggested Answer Hide Answer
Suggested Answer: C

The correct sequence for a risk assessment, as per ISO 31000 and ISO/IEC 27001, is: Establish context --- identify --- analyse --- evaluate --- treatment (C).

Establish context: Define the scope, objectives, and criteria for the risk assessment (e.g., organizational goals, assets, and risk appetite).

Identify: Identify potential risks (e.g., threats and vulnerabilities) that could impact objectives.

Analyse: Assess the likelihood and impact of identified risks to determine their severity.

Evaluate: Compare risks against risk criteria to prioritize them for treatment.

Treatment: Implement controls or strategies to mitigate, avoid, transfer, or accept risks.

Option A: Incorrect, as ''monitor and review'' is a post-treatment step, not the starting point.

Option B: Incorrect, as ''communication'' is not a distinct step in risk assessment; it's embedded throughout.

Option D: Incorrect, as it skips ''establish context,'' which is essential for defining the assessment's scope.

This sequence ensures a structured, systematic approach to risk assessment, aligning with organizational objectives.


by Corazon at Jan 05, 2026, 05:16 AM

Limited Time Offer

25%

Off

Get Premium CITM Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Corazon
5 days ago
B is the way to go. Communication is crucial throughout the entire risk assessment process.
upvoted 0 times
...
Broderick
11 days ago
D seems more logical to me. You need to identify the risks first before you can analyze and evaluate them.
upvoted 0 times
...
Glendora
16 days ago
C is the correct answer. Establishing the context is the first step in a risk assessment.
upvoted 0 times
...
Sina
21 days ago
I believe option C is correct because it logically flows from context to treatment, but I could be mixing it up with another question we did.
upvoted 0 times
...
Sheridan
26 days ago
I’m a bit confused about the monitoring part. Does it come at the end or is it part of the ongoing process?
upvoted 0 times
...
Rene
1 month ago
I remember practicing a similar question, and I feel like "identify" comes before "evaluate," which might point to option D.
upvoted 0 times
...
Andra
1 month ago
I think the sequence starts with establishing context, but I'm not sure if it's option C or D.
upvoted 0 times
...
Brandon
1 month ago
Hmm, I'm not totally sure. I know the sequence is important, but I'm having trouble remembering the exact steps. I'll just have to make my best guess and hope for the best.
upvoted 0 times
...
Hollis
2 months ago
I'm leaning towards B. Communication is an important first step in the risk assessment process, right? Then establish the context, analyze the risks, implement the treatment, and monitor/review. But I could be overthinking this.
upvoted 0 times
...
Hillary
2 months ago
Okay, I've got this. The key is to start by establishing the context, then identify the risks, analyze them, evaluate the options, and finally implement the risk treatment. I'm pretty confident C is the right answer.
upvoted 0 times
...
Eveline
2 months ago
Hmm, I'm a bit confused. I was thinking it might be D, but now I'm not sure. I'll have to review the risk assessment process again.
upvoted 0 times
...
Edgar
2 months ago
I think the correct sequence is C. Establish context, identify, analyse, evaluate, and then treatment.
upvoted 0 times
...

Save Cancel